Professional Documents
Culture Documents
1/2
Agenda
Configure Topology in Packet Tracer Configuration Features Common in Routers & Switches
Configuring Simple Password Security for Console & Telnet Access Configuring Usernames & SSH Password Encryption Enable Mode Passwords Banners
www.asghars.blogspot.com
2/2
Agenda
Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces
www.asghars.blogspot.com
1/1
Add two PDUs; One for PC0 as source & PC1 a Destination, Similarly One for PC1 as source & as destination
www.asghars.blogspot.com
1/17
Configuring Password for Enable Mode Configuring Password for Console Access Configuring Password for Telnet Access Configuring Usernames & SSH Password Encryption Enable Mode Passwords
www.asghars.blogspot.com
2/17
By default the enable command allows the console users to enter the enable mode without password To protect the enable mode use the enable secret global configuration command
Move from EXEC to enable mode Move from enable to global config mode
3/17
You can verify the previous configuration by using the show running-config
www.asghars.blogspot.com
4/17
www.asghars.blogspot.com
5/17
SSH is preferred method for remote login to switches or routers Telnet sends all data, including passwords as clear text, while SSH provides the mechanism to encrypt the data sent b/w SSH client and the SHH server SSH can use one of two user authentication methods:
Username & Password configured on the switch Username & Password configured on external server called Authentication, Authorization & Accounting (AAA) server
6/17
Step 1: both hostname & domain name is required for encryption keys
Step 2: Generate encryption key Step 3: Max idle timer Step 4: Max failed attempts
10
www.asghars.blogspot.com
Configuration Features Common in Routers & 7/17 Switches Step 5: Generate a public & private
key pair as well as shared encryption key
11
www.asghars.blogspot.com
8/17
Password Encryption
The password and the username commands store the password in clear text in running-config file The enable secret command only hides the password value To avoid password vulnerability in printed version of the configuration file, you can encrypt the password using the service password-encryption global configuration command If no service password-encryption command is used later, the password remain encrypted, until it is changed ; at which point it shown up in clear text
www.asghars.blogspot.com
12
9/17
13
www.asghars.blogspot.com
10/17
14
www.asghars.blogspot.com
11/17
The enable secret command use the MD5 hash to hide the password MD5 is much more secure than the encryption used for service password-encryption command If enable password and enable secret commands are used; the password set in enable secret is required to be entered
www.asghars.blogspot.com
15
12/17
MD5 hash value for the password Delete the enable secret password
16
www.asghars.blogspot.com
13/17
The following configuration settings affect the behavior of the CLI connection from the console and vty (Telnet & SSH)
17
www.asghars.blogspot.com
14/17
Banners Banner is simply some text that appears on the screen for the user Cisco routers & switches can display variety of banners The three most popular banners are:
Message
18
of the Day (MOTD): Show before login prompt. Used for temporary messages Login: Shown after the MOTD but before the login prompt. Used for permanent messages Exec: Shown after the login prompt. Used to supply information that should be hidden from unauthorized users
www.asghars.blogspot.com
15/17
History Buffer
The last several commands are saved in the history buffer Commands related to history buffer are:
List commands currently held in the buffer
From line config mode, set the default number of commands for the user(s) of console or vty lines
From EXEC mode, the user can set the size of history buffer for his or her single connection
19 www.asghars.blogspot.com
16/17
Switch or router puts syslog messages on the consoles screen at any time, including right in the middle of a command you are entering To make using the console a little easier, you can tell the switch to display syslog messages only at convenient times To do this just configure the logging synchronous console line command
20
www.asghars.blogspot.com
17/17
By default, the switch or router automatically disconnects users after 5 minutes of inactivity To set different inactivity timer, you can use the exectimeout line subcommand If the timeout is set to 0 minutes and 0 seconds, the router never times out the console connection
21
www.asghars.blogspot.com
1/21
The configurations discussed here will only apply to switches and not routers LAN switch configurations covered here are:
Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces
22
www.asghars.blogspot.com
2/21
Switch IP Configuration
To allow Telnet, SSH, Simple Network Management Protocol (SNMP) & Cisco Device Manager (CDM) to work properly, the switch needs an IP address Switches dont need an IP address to forward Ethernet frames You can configure a switch with its IP address/mask/gateway or the switch can dynamically learn this using DHCP IOS-based switch uses special virtual interface called the VLAN 1 interface to configure IP address & mask This interface plays the same role as an Ethernet interface on PC
www.asghars.blogspot.com
23
3/21
4/21
To administratively disable an interface, use the shutdown interface subcommand You can verify this by using show runningconfig
25
www.asghars.blogspot.com
5/21
To configure the switch as a DHCP client use the Enter VLAN 1 configuration following steps mode
Instead of assign IP address & mask use the dhcp command No need to define the default gateway
To verify it, we cant use the show runningconfig command, instead we have to use the show dhcp lease command
www.asghars.blogspot.com
26
6/21
If you forget to issue the no shutdown command, the VLAN 1 interface remains in its default shutdown state You can use the show interfaces vlan1 command to check the state and ip address assigned by DHCP Interface refers to the physical ports used to forward data to and from other devices Interfaces are named with the convention: Media-type slot#/port# Where media type is Ethernet, FastEthernet, GigabitEthernet, Serial, Token-ring, or other media types
www.asghars.blogspot.com
Interface Configuration
27
7/21
Slot numbers are only applicable for routers that provide slots into which you can install modules (these are called modular routers) Port number refers to the port within the module For example; fastethernet 0/0 (module 0/ port 0) Figure shows the slot numbering and interface ports
www.asghars.blogspot.com
28
8/21
IOS uses the interface subcommands to configure several settings for each interface Example shows the interface sub commands duplex, speed and description Enter interface sub for configuration mode
port 1
9/21
If duplex & speed command is not configured an interface uses the auto-negotiation (a-full & a-100) You can use the show running-config or show interfaces status
30
www.asghars.blogspot.com
10/21
Port Security
Engineer can use port security to restrict an interface so that only the expected devices can use it When an inappropriate device attempts to send frames to the switch interface, the switch can issue informational messages, discard frames Port security is disabled by default Example on next slide shows port security configuration
31
www.asghars.blogspot.com
11/21
Make interface as access port Two types of port i.e access & trunk Access ports are what you would typically plug a server, PC/laptop, printer, etc into. A device plugged into this port will only be able to communicate with other devices that are in the same VLAN Trunk ports are what you would typically plug a router into for inter-VLAN routing, or another switch in order to "share" VLANs between switches
32
www.asghars.blogspot.com
12/21
Specify MAC address (es) allowed to send frames into this interface, use this multiple times to define more than on address. Alternaetly, use switchport port-security macaddress sticky command, to learn & configure the MAC addresses from the first frame sent to the switch
33 www.asghars.blogspot.com
13/21
Define action when frame is received from MAC address other than the defined address, shutdown means shut down the port if there is a security violation.
Enable port security on an interface, opposite is no switchport portsecurity Specify maximum number of allowed MAC addresses to be associated with this interface
14/21
Change ports for PCs as shown & check port status again
35
The port status is changed to secureshutdown, means the interface has been disabled. Violation occurs bcz PC1 has different MAC address than that of PC0, www.asghars.blogspot.com also the security violation count shows 1
15/21
VLAN Configuration
Interfaces are considered to be either access interfaces or trunk interfaces Access interfaces send & receive traffic only in a single VLAN, called the access VLAN Trunking interfaces send & receive traffic in multiple VLANs VLAN trunking is covered in ICND2 exam course, here we will discuss the access VLAN By default, Cisco switches already have VLAN1 configured and all interfaces by default assigned to VLAN1
www.asghars.blogspot.com
36
16/21
To add another VLAN & assign access interfaces consider the following example
VLAN1
Fin_vlan
37
Check summary of the VLAN information, it shows the default five undeletable VLANs, with all interfaces www.asghars.blogspot.comVLAN1 assigned to
17/21
VLAN command defines a VLAN with a unique id 2 and puts the switch into VLAN configuration mode. Name this VLAN fin_vlan
Exit from the vlan configuration mode Select multiple interfaces to execute commands at the same time on these interfaces Set the VLAN for interfaces, access means that interfaces are already in access mode Verify the setting by using the show command
38
www.asghars.blogspot.com
18/21
Check summary of the VLAN information, it now shows the entry for our newly VLAN, with two interfaces assigned to it
39
www.asghars.blogspot.com
19/21
Securing Unused Interfaces By default the interface is configured in no shutdown state with speed & duplex are configured as auto negotiate By default all interfaces are assigned to VLAN1, and each interface by default use the VLAN features like VLAN trunking & VLAN Trunking Protocol (VTP) which are covered in ICND2 These default configurations make switches vulnerable to security threats
40 www.asghars.blogspot.com
20/21
The following commands shows how to override the default settings and make the unused port more Enter in ports configuration mode secure
Disable the interfaces
Change mode to access ports, to avoid VLAN trunking & VTP Assign ports to VLAN, usually VLAN which is not used
41 www.asghars.blogspot.com
21/21
42
www.asghars.blogspot.com